5 technology security myths, busted

Bill Snyder |
May 4, 2010

Think you can hide behind the privacy of an "unlisted" cell phone number? Think again. Maybe you believe you don't need security software on a Mac or iPad. You'd swear that Firefox is the safest browser in town. Wrong on both counts.

FRAMINGHAM, 3 MAY 2010 - Think you can hide behind the privacy of an "unlisted" cell phone number? Think again. Maybe you believe you don't need security software on a Mac or iPad. You'd swear that Firefox is the safest browser in town. Wrong on both counts.

Most of us don't think about security for our digital devices until something goes wrong, or it's time to renew an anti-virus subscription. But what the security experts like to call the threat landscape changes all the time, and keeping up is hard to do. So we'll save you some time. Here are five current facts that you probably don't know about digital security --but should.

1. Your cell phone is not a juicy hacking target

How's this for a loss of privacy: Your suspicious spouse's detective hacks into your voice mail, figures out who belongs to the private numbers you've been calling, tracks their whereabouts and then listens to their voice mail messages. That's a real possibility, according to two young security researchers who have found a way to exploit weaknesses in mobile telecom networks.

The researchers, Don Bailey, of iSec Partners, and independent security researcher Nick DePetrillo, presented a paper called "We Found Carmen San Diego," at the Source security conference in Boston last month.

The title of the talk was funny, but what the researchers found "scared us as well," Bailey, 31, said in an interview. "Anyone with some basic knowledge is capable of building the attack tool we developed." Let's hope Bailey was being a bit modest, but the threats he and DePetrillo, 27, found are being taken quite seriously by wireless providers, they said.

Bailey and DePetrillo are "white hats" with no interest in publicizing detailed hacking techniques, but they did give me a glimpse into how they do what they do. With my permission, the researchers did a bit of searching on my personal information and found enough to convince me that they are for real.

First and foremost, they have learned how to enter the various caller ID databases, a collection of phone numbers matched to subscriber names by providers for use in caller ID service. Like you, I never suspected that wireless numbers are also entered in those databases. But a number of major wireless providers have begun doing so. The researchers won't say which companies have and which companies have not.

Caller ID information can be matched with other data culled from the global SS7 telecommunications network, including information from the Home Location Record database, and mobile switching centers.

The good news here: the providers are working hard to plug the holes found by Bailey and DePetrillo. However, some of the weaknesses that allow that type of hacking are based on the fundamental design of the cellular network, so the fix is not an easy one.